Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <002c01c1a23f$ac0f2e80$2801a8c0@DCUTHBERT2K>
From: "Dylan Cuthbert" <dylan AT q-games DOT com>
To: <cygwin AT cygwin DOT com>
Subject: security with the ftp daemon
Date: Mon, 21 Jan 2002 14:51:29 +0900
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Hi there,

I've set up the ftp server with inetutils on win2k, but I get a strange
security hole.

I've set permissions so that only "Administrators" can access the cygwin
directories.  The home directories are only accessible by their respective
users and /bin is Everyone and read-only.

However, after setting this up and rebooting the machine once, if I ftp in
as a regular user I can access all the administrator priviledge directories
(in read/write mode!) with no problem at all.  Is this a known problem and
is there a way to get it to work securely?  Surely the ftp daemon should
switch its user to the id of the person logging in?

Regards

---------------------------------
Q-Games, Dylan Cuthbert.
http://www.q-games.com


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/